Sophos - DynamicShellcode / Malicious behaviour closing game

General Discussion
1

Sophos Endpoint with XDR - Error message and closing the game itself with “DynamicShellcode’ exploit prevented in Diablo II: Resurrected - Multiplayer Beta”

Related code attached at #Post 7

https://gameindustry.eu/files/dumps/d2r.jpg

2

This type of antivirus behavior can be expected trying to run brand new software. Temporarily disable your antivirus while trying to run the game. Just make sure and turn it back on when you’re done.

3

Yes, you’re right with new software. But it’s a thing which have to be fixed for further release. That’s what a beta is for.

Endpoint is not Home solution and beside of that, disabling security software without knowledge is actually not a good advice.

4

Do you really think that Blizzard sold Diablo 2 to infect your computer with spyware… Wait a second.

5

Both the game itself and the launcher have been proven to contain spyware and “various things”, but that is not the topic of this thread ;]

This is only about the message. Nothing more, nothing less.

6

I am getting the same error from Sophos Home.

7 
Mitigation   DynamicShellcode
Timestamp    2021-08-14T07:12:42

Platform     10.0.19042/x64 v678 8f_08
PID          12628
Enabled      007D2A3000000004
Silent       0020000000000000
Application  *.\Diablo II Resurrected Beta\Game.exe
Created      2021-08-12T18:38:51
Modified     2021-08-12T18:38:52
Description  Diablo II: Resurrected - Multiplayer Beta 0.2

Callee Type  AllocateVirtualMemory

Shellcode (HHA) (0x00013000 bytes)
Owner of CALLER: (anonymous; Game.exe)

OwnerModule
Name         Game.exe
SHA-256      a64d47edba63aa67a7f641712554d0ba4daac3f15a09d5ab08795e335eec3d02
SHA-1        36640ea435907d0b9675892c9d0b08f6912a8cf8
MD5          53252a5f2a270db5cf7925c2a24e9ec0

000001EA9408BCAB  ff1567670000             CALL         QWORD [RIP+0x6767]
000001EA9408BCB1  4989c5                   MOV          R13, RAX
000001EA9408BCB4  4d85ed                   TEST         R13, R13
000001EA9408BCB7  ba80000000               MOV          EDX, 0x80
000001EA9408BCBC  0f849e000000             JZ           0x1ea9408bd60
000001EA9408BCC2  488b05dfa70100           MOV          RAX, [RIP+0x1a7df]
000001EA9408BCC9  4889442420               MOV          [RSP+0x20], RAX
000001EA9408BCCE  4c8d4c2434               LEA          R9, [RSP+0x34]
000001EA9408BCD3  4889f1                   MOV          RCX, RSI
000001EA9408BCD6  4c89ea                   MOV          RDX, R13
000001EA9408BCD9  4d89f0                   MOV          R8, R14
000001EA9408BCDC  e82fbfffff               CALL         0x1ea94087c10
000001EA9408BCE1  89c6                     MOV          ESI, EAX

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFB6C751888 KernelBase.dll           VirtualAlloc +0x48

2  000001EA9408BCB1 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
                    4989c5                   MOV          R13, RAX
                    4d85ed                   TEST         R13, R13
                    ba80000000               MOV          EDX, 0x80
                    0f849e000000             JZ           0x1ea9408bd60
                    488b05dfa70100           MOV          RAX, [RIP+0x1a7df]
                    4889442420               MOV          [RSP+0x20], RAX
                    4c8d4c2434               LEA          R9, [RSP+0x34]
                    4889f1                   MOV          RCX, RSI
                    4c89ea                   MOV          RDX, R13
                    4d89f0                   MOV          R8, R14
                    e82fbfffff               CALL         0x1ea94087c10
                    89c6                     MOV          ESI, EAX
                    48c744244000000000       MOV          QWORD [RSP+0x40], 0x0
                    31c0                     XOR          EAX, EAX
                    4c89ef                   MOV          RDI, R13

3  000001EA940874E3 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
4  000001EA9408D382 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
5  000001EA9408770C (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
6  000001EA94091420 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
7  000001EA94088176 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
8  000001EA9408A350 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
9  000001EA9408712C (anonymous; allocated by 00007FF6C80B3B54, Game.exe)
10 000001EA9408C765 (anonymous; allocated by 00007FF6C80B3B54, Game.exe)

Loaded Modules (115)
-----------------------------------------------------------------------------
000001EA03060000-000001EA031B2000 C:\Windows\SYSTEM32\inputhost.dll (Microsoft Corporation), 
                                  version: 10.0.19041.906 (WinBuild.160101.0800)
00007FF6C6920000-00007FF6C8D84000 *.\Diablo II Resurrected Beta\Game.exe (Blizzard Entertainment), 
                                  version: 0.2.64648
00007FFB2C340000-00007FFB30D45000 C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_253e24b785ea60ca\nvwgf2umx.dll (NVIDIA Corporation), 
                                  version: 30.0.14.7168
00007FFB32FC0000-00007FFB331A1000 ***, 
                                  version: 3.1.3.3
00007FFB3D450000-00007FFB3D4A3000 C:\Windows\SYSTEM32\BiWinrt.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB40E90000-00007FFB40F49000 C:\Windows\SYSTEM32\Windows.Networking.Connectivity.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB45980000-00007FFB459AB000 C:\Windows\SYSTEM32\D3DSCache.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB45AF0000-00007FFB45CBF000 C:\Windows\SYSTEM32\D3D12Core.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB45E00000-00007FFB45E20000 C:\Windows\SYSTEM32\d3d12.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB55260000-00007FFB55286000 C:\Windows\SYSTEM32\winmmbase.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFB55860000-00007FFB55876000 C:\Windows\SYSTEM32\mskeyprotect.dll (Microsoft Corporation), 
                                  version: 10.0.19041.964 (WinBuild.160101.0800)
00007FFB5B6C0000-00007FFB5B6E6000 C:\Windows\system32\ncryptsslp.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB5BB20000-00007FFB5BB2C000 C:\Windows\SYSTEM32\Secur32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB5D020000-00007FFB5D061000 C:\Windows\SYSTEM32\FWPolicyIOMgr.dll (Microsoft Corporation), 
                                  version: 10.0.19041.964 (WinBuild.160101.0800)
00007FFB5DDE0000-00007FFB5DED5000 C:\Windows\SYSTEM32\Windows.Networking.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB5E300000-00007FFB5E415000 C:\Program Files\Sophos\Sophos AMSI Protection\SophosAmsiProvider.dll (Sophos Limited), 
                                  version: 1.7.79
00007FFB5E4D0000-00007FFB5E4E9000 C:\Windows\SYSTEM32\amsi.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB5E690000-00007FFB5E79B000 C:\Windows\system32\wbem\fastprox.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB5EFD0000-00007FFB5F179000 C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1151_none_91a40286cc884949\gdiplus.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB5FDA0000-00007FFB5FE4C000 C:\Windows\SYSTEM32\TextShaping.dll (), 
                                  version: 
00007FFB612B0000-00007FFB61342000 C:\Windows\SYSTEM32\wbemcomn.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB61A90000-00007FFB61B89000 C:\Windows\SYSTEM32\textinputframework.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB61B90000-00007FFB61C96000 C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_253e24b785ea60ca\nvldumdx.dll (NVIDIA Corporation), 
                                  version: 30.0.14.7168
00007FFB62220000-00007FFB6225B000 C:\Windows\SYSTEM32\dxcore.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB62D20000-00007FFB62D26000 C:\Windows\SYSTEM32\KBDGR.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFB63AB0000-00007FFB63AC4000 C:\Windows\system32\wbem\wbemsvc.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB63C40000-00007FFB63C51000 C:\Windows\system32\wbem\wbemprox.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB63F50000-00007FFB63F77000 C:\Windows\SYSTEM32\WINMM.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB640C0000-00007FFB640F1000 C:\Windows\SYSTEM32\cryptnet.dll (Microsoft Corporation), 
                                  version: 10.0.19041.906 (WinBuild.160101.0800)
00007FFB64510000-00007FFB64711000 C:\Windows\SYSTEM32\twinapi.appcore.dll (Microsoft Corporation), 
                                  version: 10.0.19041.964 (WinBuild.160101.0800)
00007FFB64A70000-00007FFB64A7A000 C:\Windows\SYSTEM32\AVRT.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB64D60000-00007FFB64EAA000 C:\Windows\SYSTEM32\drvstore.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB659E0000-00007FFB659EA000 C:\Windows\System32\rasadhlp.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB65A50000-00007FFB65ACF000 C:\Windows\System32\fwpuclnt.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB65F70000-00007FFB66066000 C:\Windows\SYSTEM32\PROPSYS.dll (Microsoft Corporation), 
                                  version: 7.0.19041.1023 (WinBuild.160101.0800)
00007FFB668B0000-00007FFB668CD000 C:\Windows\SYSTEM32\dhcpcsvc.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB668D0000-00007FFB668E7000 C:\Windows\SYSTEM32\dhcpcsvc6.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB66930000-00007FFB66969000 C:\Windows\SYSTEM32\Windows.Networking.HostName.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB66A50000-00007FFB66AD5000 C:\Windows\System32\MMDevApi.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB66B50000-00007FFB66CD1000 C:\Windows\SYSTEM32\AUDIOSES.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB66E70000-00007FFB66E7B000 C:\Windows\SYSTEM32\midimap.dll (Microsoft Corporation), 
                                  version: 10.0.19041.488 (WinBuild.160101.0800)
00007FFB66E80000-00007FFB66E8D000 C:\Windows\SYSTEM32\msacm32.drv (Microsoft Corporation), 
                                  version: 10.0.19041.488 (WinBuild.160101.0800)
00007FFB66E90000-00007FFB66ED6000 C:\Windows\SYSTEM32\wdmaud.drv (Microsoft Corporation), 
                                  version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFB66EE0000-00007FFB66EF1000 C:\Windows\SYSTEM32\XInput1_4.dll (Microsoft Corporation), 
                                  version: 10.0.19041.844 (WinBuild.160101.0800)
00007FFB66F10000-00007FFB66F19000 C:\Windows\SYSTEM32\ksuser.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFB66F20000-00007FFB66F3E000 C:\Windows\SYSTEM32\MSACM32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFB66F40000-00007FFB66F47000 C:\Windows\SYSTEM32\XINPUT9_1_0.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1 (WinBuild.160101.0800)
00007FFB67420000-00007FFB67528000 C:\Windows\SYSTEM32\WINHTTP.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB675F0000-00007FFB675FA000 C:\Windows\SYSTEM32\VERSION.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB67900000-00007FFB67914000 C:\Windows\SYSTEM32\WTSAPI32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB68CD0000-00007FFB68E24000 C:\Windows\SYSTEM32\wintypes.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB68E70000-00007FFB69056000 C:\Windows\SYSTEM32\dcomp.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB69600000-00007FFB6995E000 C:\Windows\System32\CoreUIComponents.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546
00007FFB69960000-00007FFB69A52000 C:\Windows\System32\CoreMessaging.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746
00007FFB69D00000-00007FFB69D9E000 C:\Windows\system32\uxtheme.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB69E50000-00007FFB69E64000 C:\Windows\SYSTEM32\resourcepolicyclient.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB69F50000-00007FFB69F7F000 C:\Windows\SYSTEM32\dwmapi.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB6A510000-00007FFB6ACA0000 C:\Windows\SYSTEM32\windows.storage.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6ACA0000-00007FFB6ACAD000 C:\Windows\SYSTEM32\HID.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6ACB0000-00007FFB6ACC2000 C:\Windows\SYSTEM32\kernel.appcore.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6ACD0000-00007FFB6ACF3000 C:\Windows\SYSTEM32\gpapi.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6AD00000-00007FFB6ADF4000 C:\Windows\SYSTEM32\dxgi.dll (Microsoft Corporation), 
                                  version: 10.0.19041.964 (WinBuild.160101.0800)
00007FFB6AFC0000-00007FFB6AFEF000 C:\Windows\SYSTEM32\fwbase.dll (Microsoft Corporation), 
                                  version: 10.0.19041.964 (WinBuild.160101.0800)
00007FFB6B060000-00007FFB6B100000 C:\Windows\SYSTEM32\FirewallAPI.dll (Microsoft Corporation), 
                                  version: 10.0.19041.964 (WinBuild.160101.0800)
00007FFB6B100000-00007FFB6B133000 C:\Windows\SYSTEM32\ntmarta.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6B390000-00007FFB6B421000 C:\Windows\system32\schannel.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFB6B470000-00007FFB6B4A4000 C:\Windows\system32\rsaenh.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1052 (WinBuild.160101.0800)
00007FFB6B7E0000-00007FFB6B81B000 C:\Windows\SYSTEM32\IPHLPAPI.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6B830000-00007FFB6B8FC000 C:\Windows\SYSTEM32\DNSAPI.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6BAD0000-00007FFB6BB3A000 C:\Windows\system32\mswsock.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6BCC0000-00007FFB6BCCC000 C:\Windows\SYSTEM32\cryptbase.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6BD50000-00007FFB6BD7C000 C:\Windows\SYSTEM32\Wldp.dll (Microsoft Corporation), 
                                  version: 10.0.19041.662 (WinBuild.160101.0800)
00007FFB6BD80000-00007FFB6BD92000 C:\Windows\SYSTEM32\UMPDC.dll (), 
                                  version: 
00007FFB6BDB0000-00007FFB6BDFB000 C:\Windows\SYSTEM32\powrprof.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6BE00000-00007FFB6BE3B000 C:\Windows\SYSTEM32\NTASN1.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6BE40000-00007FFB6BE67000 C:\Windows\SYSTEM32\ncrypt.dll (Microsoft Corporation), 
                                  version: 10.0.19041.662 (WinBuild.160101.0800)
00007FFB6BE70000-00007FFB6BE88000 C:\Windows\SYSTEM32\CRYPTSP.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6BFC0000-00007FFB6BFD2000 C:\Windows\SYSTEM32\MSASN1.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6C1E0000-00007FFB6C2FC000 C:\Windows\System32\hmpalert.dll (SurfRight B.V.), 
                                  version: 3.8.2.648
00007FFB6C300000-00007FFB6C334000 C:\Windows\SYSTEM32\DEVOBJ.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6C360000-00007FFB6C36A000 C:\Windows\SYSTEM32\DPAPI.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6C420000-00007FFB6C451000 C:\Windows\SYSTEM32\SSPICLI.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.906 (WinBuild.160101.0800)
00007FFB6C460000-00007FFB6C48E000 C:\Windows\SYSTEM32\USERENV.dll (Microsoft Corporation), 
                                  version: 10.0.19041.572 (WinBuild.160101.0800)
00007FFB6C4A0000-00007FFB6C4BF000 C:\Windows\SYSTEM32\profapi.dll (Microsoft Corporation), 
                                  version: 10.0.19041.844 (WinBuild.160101.0800)
00007FFB6C560000-00007FFB6C660000 C:\Windows\System32\ucrtbase.dll (Microsoft Corporation), 
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFB6C660000-00007FFB6C6E3000 C:\Windows\System32\bcryptPrimitives.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB6C6F0000-00007FFB6C9B9000 C:\Windows\System32\KernelBase.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6CA70000-00007FFB6CAD0000 C:\Windows\System32\WINTRUST.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6CAD0000-00007FFB6CB6D000 C:\Windows\System32\msvcp_win.dll (Microsoft Corporation), 
                                  version: 10.0.19041.789 (WinBuild.160101.0800)
00007FFB6CB70000-00007FFB6CCCF000 C:\Windows\System32\CRYPT32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.844 (WinBuild.160101.0800)
00007FFB6CCD0000-00007FFB6CCF2000 C:\Windows\System32\win32u.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6CD00000-00007FFB6CD27000 C:\Windows\System32\bcrypt.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB6CD30000-00007FFB6CD7E000 C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6CD80000-00007FFB6CE8B000 C:\Windows\System32\gdi32full.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1110 (WinBuild.160101.0800)
00007FFB6CF60000-00007FFB6D009000 C:\Windows\System32\clbcatq.dll (Microsoft Corporation), 
                                  version: 2001.12.10941.16384 (WinBuild.160101.080
00007FFB6D010000-00007FFB6D0BE000 C:\Windows\System32\SHCORE.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB6D120000-00007FFB6D1DD000 C:\Windows\System32\kernel32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6D260000-00007FFB6D30C000 C:\Windows\System32\ADVAPI32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1052 (WinBuild.160101.0800)
00007FFB6D310000-00007FFB6D365000 C:\Windows\System32\SHLWAPI.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1023 (WinBuild.160101.0800)
00007FFB6D370000-00007FFB6D40E000 C:\Windows\System32\msvcrt.dll (Microsoft Corporation), 
                                  version: 7.0.19041.546 (WinBuild.160101.0800)
00007FFB6D410000-00007FFB6D765000 C:\Windows\System32\combase.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB6D770000-00007FFB6D7A0000 C:\Windows\System32\IMM32.DLL (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6D7A0000-00007FFB6D8B5000 C:\Windows\System32\MSCTF.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB6D8C0000-00007FFB6D8C8000 C:\Windows\System32\NSI.dll (Microsoft Corporation), 
                                  version: 10.0.19041.610 (WinBuild.160101.0800)
00007FFB6D8D0000-00007FFB6D8FA000 C:\Windows\System32\GDI32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB6D900000-00007FFB6E03F000 C:\Windows\System32\SHELL32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6E040000-00007FFB6E0AB000 C:\Windows\System32\WS2_32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6E340000-00007FFB6E4E0000 C:\Windows\System32\USER32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6E4E0000-00007FFB6E952000 C:\Windows\System32\SETUPAPI.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1151 (WinBuild.160101.0800)
00007FFB6E960000-00007FFB6EA8A000 C:\Windows\System32\ole32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.746 (WinBuild.160101.0800)
00007FFB6EA90000-00007FFB6EB2B000 C:\Windows\System32\sechost.dll (Microsoft Corporation), 
                                  version: 10.0.19041.906 (WinBuild.160101.0800)
00007FFB6EB40000-00007FFB6EC0D000 C:\Windows\System32\OLEAUT32.dll (Microsoft Corporation), 
                                  version: 10.0.19041.985 (WinBuild.160101.0800)
00007FFB6EC10000-00007FFB6EC2D000 C:\Windows\System32\imagehlp.dll (Microsoft Corporation), 
                                  version: 10.0.19041.546 (WinBuild.160101.0800)
00007FFB6EC30000-00007FFB6ED5A000 C:\Windows\System32\RPCRT4.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1081 (WinBuild.160101.0800)
00007FFB6EE30000-00007FFB6F025000 C:\Windows\System32\ntdll.dll (Microsoft Corporation), 
                                  version: 10.0.19041.1110 (WinBuild.160101.0800)

Process Trace
1  *.\Diablo II Resurrected Beta\Game.exe [12628]
"*.\Diablo II Resurrected Beta\Game.exe" -uid osi_beta
2  *.\Battle.net.exe [12724]
"*.\Battle.net.exe" --from-launcher
3  *.\Battle.net Launcher.exe [11728]
4  C:\Windows\explorer.exe [9464]
5  C:\Windows\System32\userinit.exe [7640]
6  C:\Windows\System32\winlogon.exe [1188]
winlogon.exe
7  C:\Windows\System32\smss.exe [1028]
\SystemRoot\System32\smss.exe 000000e4 00000084 

Thumbprint
2c3791215029dd3abc2dc562136c261dd114c67b698e08ee1f32a3dbeb7dd3da
Module based thumbprint
bf66f35c594b1e388739a3413c9f52703d2282c82d0a5dd44cf0fee2e63496d1
Process based thumbprint
0a2ff999ec96c0db39a1e99554ff6e003e3a9ca4bbc2b2ad57d6e08c5c4bd13a
8

Just whitelist the process (game.exe) - don’t disable your a/v altogether that’s terrible advice.

9

I worked with Sophos for years back in my IT days. “Pedantic” would be my best description for that software.

Add an exception for your false positive.

10

Any solution to the problem without turning off sophos ?
I try adding the game in the exceptions but I kept having crashs with the message from sophos “attack intercepted”

11

At this stage, it sounds like that is something Sophos and Blizzard will need to work out together… good luck. :roll_eyes:

12

I just submitted a sample to Sophos for them to hopefully correct the issue.

13

Solution none so far. Nothing what end consumers could do. Just have to whitelist it every new computer session or it least when it’s required. As Vortex mentioned, it’s a bit pedantic … Sample send as well~

14

I have this problem as well. I whitelisted the entire Diablo II directory and game.exe. Still occurs.

It looks like this is related to a new feature in Sophos Intercept X that is designed to stop ransomware attacks. Since links are forbidden (really Blizzard? That’s asinine) delete the space and add a period in the link.

news.sophos com/en-us/2021/03/09/intercept-xs-new-secret-weapon-dynamic-shellcode-protection/

15

I just use Windows Defender. It doesn’t block games I play and I never get any viruses.

16

Do you think this will be an issue at launch of the full game? Or just because it’s a beta?

17

This is indeed still an issue. Can confirm, sadly.

1 Like